Removal Instructions - Umbrella Insights

This article is intended to set out the process for rolling back or removing an Umbrella Insights deployment.Due to the nature of the product the deployment can be split into 'sites' which operate independently from each other, so for larger deployments the removal process can be broken down into smaller 'per-site' tasks.

Solution

1 - Switching DNS away from Umbrella

If Insights has been correctly deployed, your network clients will be exclusively using Virtual Appliances (VAs) as their DNS servers. If you remove your Virtual Appliances before changing your DHCP settings to point DNS back to your local DNS servers, DNS resolution will fail both internally and externally. Therefore, this is a particularly important step.

The second point on switching DNS settings, is that your local DNS servers should be using the OpenDNS Anycast IP addresses as their forwarders. If this is the case, policy will still be applied to DNS queries leaving the network until you either change the forwarders to point to another public or ISP DNS service, or delete any 'Networks' (the egress IP which your DNS servers hit the Internet from) from your Umbrella Dashboard. If Umbrella resolvers receive DNS queries from a network that is registered to a customer organisation it will enforce the policy which applies to that 'network' identity. Note that the default policy cannot be deleted from the Dashboard, and has default security settings applied therefore will always block some destinations.

NOTE:

Once you're no longer using the Umbrella service then it doesn't really matter which order the removal is done in. We'll go through each of the components.

2 - Uninstalling the Connector

The connector is normally only installed on a couple of servers on the network and can just be uninstalled through Add/Remove programs. This is a quick and painless process and often all that is required.If your organisation has a large number of connectors to remove you may wish to consider using Group Policy to run the task. No reboot is required. If you had a large number of servers to uninstall from you could investigate using Group Policy or a small PowerShell script like the one below to automate the task:

The only service that should be using this account is the OpenDNS Connector service, therefore deleting the account after the service has been uninstalled should have no adverse affects at all.The Domain Controller configuration script performed two tasks.

Set permissions for the OpenDNS_Connector user account to allow the connector to read logon events from other DCs' security event logs

Ran an API call to register the domain controller to the Umbrella dashboard which in turn allowed the connector to learn which DCs' to connect to in order to capture logon events.

You can undo the effects of the script by simply deleting this user.

4 - Deleting the Virtual Appliance

Each instance of the VA can simply be deleted. If the first step has been followed, they should be serving no DNS requests so deleting them should have zero impact on the network. It would be advisable to first shut down the VA's and ensure all services remain operational before deleting the virtual machines.

5 - Deleting Insights AD components from the Umbrella Dashboard

When a VA or Connector is installed, it registers a corresponding object to the dashboard under:

-->settings -->Sites and Active Directory

The Domain Controller configuration script also registers each DC it is run on to the dashboard.All of these objects can be deleted. It is worth noting that this is also where 'Umbrella Sites' can be created, and where the Insights components are divided into these sites, so if you are removing on a site-by-site basis, ensure you only delete the components that are assigned to that site.